<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<!-- GenHTML revision 25226-->
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
<title>Examples: Securing Enterprise Beans - The Java EE 6 Tutorial</title>
<meta name="robots" content="index,follow">
<meta name="robots" content="index,follow">
<meta name="date" content="2011-03-01">
<link rel="stylesheet" type="text/css" href="css/default.css">
<link rel="stylesheet" type="text/css" href="css/ipg.css">
<link rel="stylesheet" type="text/css" href="css/javaeetutorial.css">
</head>

<body>

<table border="0" cellpadding="5" cellspacing="0" width="100%">
<tbody>
   <tr valign="top">
      <td width="400px"><p class="toc level1"><a href="docinfo.html">Document Information</a></p>
<p class="toc level1 tocsp"><a href="gexaf.html">Preface</a></p>
<p class="toc level1 tocsp"><a href="gfirp.html">Part&nbsp;I&nbsp;Introduction</a></p>
<p class="toc level2"><a href="bnaaw.html">1.&nbsp;&nbsp;Overview</a></p>
<p class="toc level2"><a href="gfiud.html">2.&nbsp;&nbsp;Using the Tutorial Examples</a></p>
<p class="toc level1 tocsp"><a href="bnadp.html">Part&nbsp;II&nbsp;The Web Tier</a></p>
<p class="toc level2"><a href="bnadr.html">3.&nbsp;&nbsp;Getting Started with Web Applications</a></p>
<p class="toc level2"><a href="bnaph.html">4.&nbsp;&nbsp;JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="giepx.html">5.&nbsp;&nbsp;Introduction to Facelets</a></p>
<p class="toc level2"><a href="gjddd.html">6.&nbsp;&nbsp;Expression Language</a></p>
<p class="toc level2"><a href="bnaqz.html">7.&nbsp;&nbsp;Using JavaServer Faces Technology in Web Pages</a></p>
<p class="toc level2"><a href="gjcut.html">8.&nbsp;&nbsp;Using Converters, Listeners, and Validators</a></p>
<p class="toc level2"><a href="bnatx.html">9.&nbsp;&nbsp;Developing with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="gkmaa.html">10.&nbsp;&nbsp;JavaServer Faces Technology Advanced Concepts</a></p>
<p class="toc level2"><a href="bnawo.html">11.&nbsp;&nbsp;Configuring JavaServer Faces Applications</a></p>
<p class="toc level2"><a href="gkiow.html">12.&nbsp;&nbsp;Using Ajax with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="gkhxa.html">13.&nbsp;&nbsp;Advanced Composite Components</a></p>
<p class="toc level2"><a href="bnavg.html">14.&nbsp;&nbsp;Creating Custom UI Components</a></p>
<p class="toc level2"><a href="bnafd.html">15.&nbsp;&nbsp;Java Servlet Technology</a></p>
<p class="toc level2"><a href="bnaxu.html">16.&nbsp;&nbsp;Internationalizing and Localizing Web Applications</a></p>
<p class="toc level1 tocsp"><a href="bnayk.html">Part&nbsp;III&nbsp;Web Services</a></p>
<p class="toc level2"><a href="gijti.html">17.&nbsp;&nbsp;Introduction to Web Services</a></p>
<p class="toc level2"><a href="bnayl.html">18.&nbsp;&nbsp;Building Web Services with JAX-WS</a></p>
<p class="toc level2"><a href="giepu.html">19.&nbsp;&nbsp;Building RESTful Web Services with JAX-RS</a></p>
<p class="toc level2"><a href="gjjxe.html">20.&nbsp;&nbsp;Advanced JAX-RS Features</a></p>
<p class="toc level2"><a href="gkojl.html">21.&nbsp;&nbsp;Running the Advanced JAX-RS Example Application</a></p>
<p class="toc level1 tocsp"><a href="bnblr.html">Part&nbsp;IV&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="gijsz.html">22.&nbsp;&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="gijre.html">23.&nbsp;&nbsp;Getting Started with Enterprise Beans</a></p>
<p class="toc level2"><a href="gijrb.html">24.&nbsp;&nbsp;Running the Enterprise Bean Examples</a></p>
<p class="toc level2"><a href="bnbpk.html">25.&nbsp;&nbsp;A Message-Driven Bean Example</a></p>
<p class="toc level2"><a href="gkcqz.html">26.&nbsp;&nbsp;Using the Embedded Enterprise Bean Container</a></p>
<p class="toc level2"><a href="gkidz.html">27.&nbsp;&nbsp;Using Asynchronous Method Invocation in Session Beans</a></p>
<p class="toc level1 tocsp"><a href="gjbnr.html">Part&nbsp;V&nbsp;Contexts and Dependency Injection for the Java EE Platform</a></p>
<p class="toc level2"><a href="giwhb.html">28.&nbsp;&nbsp;Introduction to Contexts and Dependency Injection for the Java EE Platform</a></p>
<p class="toc level2"><a href="gjbls.html">29.&nbsp;&nbsp;Running the Basic Contexts and Dependency Injection Examples</a></p>
<p class="toc level2"><a href="gjehi.html">30.&nbsp;&nbsp;Contexts and Dependency Injection for the Java EE Platform: Advanced Topics</a></p>
<p class="toc level2"><a href="gkhre.html">31.&nbsp;&nbsp;Running the Advanced Contexts and Dependency Injection Examples</a></p>
<p class="toc level1 tocsp"><a href="bnbpy.html">Part&nbsp;VI&nbsp;Persistence</a></p>
<p class="toc level2"><a href="bnbpz.html">32.&nbsp;&nbsp;Introduction to the Java Persistence API</a></p>
<p class="toc level2"><a href="gijst.html">33.&nbsp;&nbsp;Running the Persistence Examples</a></p>
<p class="toc level2"><a href="bnbtg.html">34.&nbsp;&nbsp;The Java Persistence Query Language</a></p>
<p class="toc level2"><a href="gjitv.html">35.&nbsp;&nbsp;Using the Criteria API to Create Queries</a></p>
<p class="toc level2"><a href="gkjiq.html">36.&nbsp;&nbsp;Creating and Using String-Based Criteria Queries</a></p>
<p class="toc level2"><a href="gkjjf.html">37.&nbsp;&nbsp;Controlling Concurrent Access to Entity Data with Locking</a></p>
<p class="toc level2"><a href="gkjia.html">38.&nbsp;&nbsp;Improving the Performance of Java Persistence API Applications By Setting a Second-Level Cache</a></p>
<p class="toc level1 tocsp"><a href="gijrp.html">Part&nbsp;VII&nbsp;Security</a></p>
<p class="toc level2"><a href="bnbwj.html">39.&nbsp;&nbsp;Introduction to Security in the Java EE Platform</a></p>
<p class="toc level2"><a href="bncas.html">40.&nbsp;&nbsp;Getting Started Securing Web Applications</a></p>
<p class="toc level2"><a href="bnbyk.html">41.&nbsp;&nbsp;Getting Started Securing Enterprise Applications</a></p>
<p class="toc level3"><a href="bnbyl.html">Securing Enterprise Beans</a></p>
<p class="toc level4"><a href="bnbyl.html#gjgdi">Securing an Enterprise Bean Using Declarative Security</a></p>
<p class="toc level5"><a href="bnbyl.html#gjgcq">Specifying Authorized Users by Declaring Security Roles</a></p>
<p class="toc level5"><a href="bnbyl.html#bnbyu">Specifying an Authentication Mechanism and Secure Connection</a></p>
<p class="toc level4 tocsp"><a href="bnbyl.html#gjgcs">Securing an Enterprise Bean Programmatically</a></p>
<p class="toc level5"><a href="bnbyl.html#gjgcr">Accessing an Enterprise Bean Caller's Security Context</a></p>
<p class="toc level4 tocsp"><a href="bnbyl.html#bnbyr">Propagating a Security Identity (Run-As)</a></p>
<p class="toc level5"><a href="bnbyl.html#bnbzb">Configuring a Component's Propagated Security Identity</a></p>
<p class="toc level5"><a href="bnbyl.html#bnbzc">Trust between Containers</a></p>
<p class="toc level4 tocsp"><a href="bnbyl.html#bnbzg">Deploying Secure Enterprise Beans</a></p>
<div id="scrolltoc" class="onpage">
<p class="toc level3 tocsp"><a href="">Examples: Securing Enterprise Beans</a></p>
<p class="toc level4"><a href="#bnbzk">Example: Securing an Enterprise Bean with Declarative Security</a></p>
<p class="toc level5"><a href="#bnbzl">Annotating the Bean</a></p>
<p class="toc level5"><a href="#bnbzn">To Build, Package, Deploy, and Run the Secure Cart Example Using NetBeans IDE</a></p>
<p class="toc level5"><a href="#bnbzo">To Build, Package, Deploy, and Run the Secure Cart Example Using Ant</a></p>
<p class="toc level4 tocsp"><a href="#bncaa">Example: Securing an Enterprise Bean with Programmatic Security</a></p>
<p class="toc level5"><a href="#bncab">Modifying <tt>ConverterBean</tt></a></p>
<p class="toc level5"><a href="#gkbsi">Modifying <tt>ConverterServlet</tt></a></p>
<p class="toc level5"><a href="#bncad">To Build, Package, and Deploy the Secure Converter Example Using NetBeans IDE</a></p>
<p class="toc level5"><a href="#bncae">To Build, Package, and Deploy the Secure Converter Example Using Ant</a></p>
<p class="toc level5"><a href="#gjtdp">To Run the Secure Converter Example</a></p>
</div>
<p class="toc level3 tocsp"><a href="bncah.html">Securing Application Clients</a></p>
<p class="toc level4"><a href="bncah.html#bncai">Using Login Modules</a></p>
<p class="toc level4"><a href="bncah.html#bncaj">Using Programmatic Login</a></p>
<p class="toc level3 tocsp"><a href="bncal.html">Securing Enterprise Information Systems Applications</a></p>
<p class="toc level4"><a href="bncal.html#bncam">Container-Managed Sign-On</a></p>
<p class="toc level4"><a href="bncal.html#bncan">Component-Managed Sign-On</a></p>
<p class="toc level4"><a href="bncal.html#bncao">Configuring Resource Adapter Security</a></p>
<p class="toc level4"><a href="bncal.html#bncap">To Map an Application Principal to EIS Principals</a></p>
<p class="toc level1 tocsp"><a href="gijue.html">Part&nbsp;VIII&nbsp;Java EE Supporting Technologies</a></p>
<p class="toc level2"><a href="gijto.html">42.&nbsp;&nbsp;Introduction to Java EE Supporting Technologies</a></p>
<p class="toc level2"><a href="bncih.html">43.&nbsp;&nbsp;Transactions</a></p>
<p class="toc level2"><a href="bncjh.html">44.&nbsp;&nbsp;Resource Connections</a></p>
<p class="toc level2"><a href="bncdq.html">45.&nbsp;&nbsp;Java Message Service Concepts</a></p>
<p class="toc level2"><a href="bncgv.html">46.&nbsp;&nbsp;Java Message Service Examples</a></p>
<p class="toc level2"><a href="gkahp.html">47.&nbsp;&nbsp;Advanced Bean Validation Concepts and Examples</a></p>
<p class="toc level2"><a href="gkeed.html">48.&nbsp;&nbsp;Using Java EE Interceptors</a></p>
<p class="toc level1 tocsp"><a href="gkgjw.html">Part&nbsp;IX&nbsp;Case Studies</a></p>
<p class="toc level2"><a href="gkaee.html">49.&nbsp;&nbsp;Duke's Tutoring Case Study Example</a></p>
<p class="toc level1 tocsp"><a href="idx-1.html">Index</a></p>
</td>
      <td width="10px">&nbsp;</td>
      <td>
         <div class="header">
             <div class="banner">
                <table width="100%" border="0" cellpadding="5" cellspacing="0">
                   <tbody>
                      <tr>
                         <td valign="bottom"><p class="Banner">The Java EE 6 Tutorial
</p></td>
                         <td align="right"  valign="bottom"><img src="graphics/javalogo.png" alt="Java Coffee Cup logo"></td>
                      </tr>
                   </tbody>
                </table>
             </div>

             <div class="header-links">
	         <a href="./index.html">Home</a> | 
<a href="../information/download.html">Download</a> | 
<a href="./javaeetutorial6.pdf">PDF</a> | 
<a href="../information/faq.html">FAQ</a> | 
<a href="http://download.oracle.com/javaee/feedback.htm">Feedback</a>

             </div>
             <div class="navigation">
                 <a href="bnbyl.html"><img src="graphics/leftButton.gif" border="0" alt="Previous" title="Previous"></a>
                 <a href="p1.html"><img src="graphics/upButton.gif" border="0" alt="Contents" title="Contents"></a>
                 <a href="bncah.html"><img src="graphics/rightButton.gif" border="0" alt="Next" title="Next"></a>
             </div>
         </div>

	 <div class="maincontent">      	 
             

<a name="gkbsz"></a><h2>Examples: Securing Enterprise Beans</h2>
<p>The following examples show how to secure enterprise beans using declarative and programmatic
security.</p>



<a name="bnbzk"></a><h3>Example: Securing an Enterprise Bean with Declarative Security</h3>
<a name="indexterm-2153"></a><a name="indexterm-2154"></a><a name="indexterm-2155"></a><p>This section discusses how to configure an enterprise bean for basic user name/password
authentication. When a bean that is constrained in this way is requested, the
server requests a user name and password from the client and verifies that
the user name and password are valid by comparing them against a database
of authorized users on the GlassFish Server.</p>

<p>If the topic of authentication is new to you, see <a href="gkbaa.html#bncbn">Specifying an Authentication Mechanism in the Deployment Descriptor</a>.</p>

<p>This example demonstrates security by starting with the unsecured enterprise bean application, 
<tt>cart</tt>, which is found in the directory <tt><i>tut-install</i>/examples/ejb/cart/</tt>  and is discussed
in <a href="bnbod.html">The <tt>cart</tt> Example</a>.</p>

<p>In general, the following steps are necessary to add user name/password authentication to
an existing application that contains an enterprise bean. In the example application included
with this tutorial, these steps have been completed for you and are listed
here simply to show what needs to be done should you wish to
create a similar application.</p>


<ol><li><p>Create an application like the one in <a href="bnbod.html">The <tt>cart</tt> Example</a>. The example in this tutorial starts with this example and demonstrates adding basic authentication of the client to this application. The example application discussed in this section can be found at <tt></tt><i>tut-install</i><tt>/examples/security/cart-secure/</tt>.</p>

</li>
<li><p>If you have not already done so, complete the steps in <a href="bncbx.html#gjjlk">To Set Up Your System for Running the Security Examples</a> to configure your system for running the tutorial applications.</p>

</li>
<li><p>Modify the source code for the enterprise bean, <tt>CartBean.java</tt>, to specify which roles are authorized to access which protected methods. This step is discussed in <a href="#bnbzl">Annotating the Bean</a>.</p>

</li>
<li><p>Build, package, and deploy the enterprise bean; then build and run the client application by following the steps in <a href="#bnbzn">To Build, Package, Deploy, and Run the Secure Cart Example Using NetBeans IDE</a> or <a href="#bnbzo">To Build, Package, Deploy, and Run the Secure Cart Example Using Ant</a>.</p>

</li></ol>


<a name="bnbzl"></a><h4>Annotating the Bean</h4>
<a name="indexterm-2156"></a><a name="indexterm-2157"></a><p>The source code for the original <tt>cart</tt> application was modified as shown in
the following code snippet (modifications in <b>bold</b>). The resulting file can be
found in the following location:</p>

<pre><i>tut-install</i>/examples/security/cart-secure/cart-secure-ejb/src/java/cart/
ejb/CartBean.java</pre><p>The code snippet is as follows:</p>

<pre>package cart.ejb;

import cart.util.BookException;
import cart.util.IdVerifier;
import java.util.ArrayList;
import java.util.List;
import javax.ejb.Remove;
import javax.ejb.Stateful;
<b>import javax.annotation.security.DeclareRoles;</b>
<b>import javax.annotation.security.RolesAllowed;</b>

@Stateful
<b>@DeclareRoles("TutorialUser")</b>
public class CartBean implements Cart {
    List&lt;String> contents;
    String customerId;
    String customerName;

    public void initialize(String person) throws BookException {
        if (person == null) {
            throw new BookException("Null person not allowed.");
        } else {
            customerName = person;
        }

        customerId = "0";
        contents = new ArrayList&lt;String>();
    }

    public void initialize(
        String person,
        String id) throws BookException {
        if (person == null) {
            throw new BookException("Null person not allowed.");
        } else {
            customerName = person;
        }

        IdVerifier idChecker = new IdVerifier();

        if (idChecker.validate(id)) {
            customerId = id;
        } else {
            throw new BookException("Invalid id: " + id);
        }

        contents = new ArrayList&lt;String>();
    }

    <b>@RolesAllowed("TutorialUser")</b>
    public void addBook(String title) {
        contents.add(title);
    }

    <b>@RolesAllowed("TutorialUser")</b>
    public void removeBook(String title) throws BookException {
        boolean result = contents.remove(title);

        if (result == false) {
            throw new BookException("\"" + title + "\" not in cart.");
        }
    }

    <b>@RolesAllowed("TutorialUser")</b>
    public List&lt;String> getContents() {
        return contents;
    }

    @Remove()
    <b>@RolesAllowed("TutorialUser")</b>
    public void remove() {
        contents = null;
    }
}</pre><p>The <tt>@RolesAllowed</tt> annotation is specified on methods for which you want to restrict
access. In this example, only users in the role of <tt>TutorialUser</tt> will be
allowed to add and remove books from the cart and to list the
contents of the cart. A <tt>@RolesAllowed</tt> annotation implicitly declares a role that
will be referenced in the application; therefore, no <tt>@DeclareRoles</tt> annotation is required. The presence
of the <tt>@RolesAllowed</tt> annotation also implicitly declares that authentication will be required for
a user to access these methods. If no authentication method is specified in
the deployment descriptor, the type of authentication will be user name/password authentication.</p>



<a name="bnbzn"></a><h4>To Build, Package, Deploy, and Run the Secure Cart Example Using NetBeans IDE</h4>
<ol>
<li><b>Follow the steps in <a href="bncbx.html#gjjlk">To Set Up Your System for Running the Security Examples</a>.</b></li>
<li><b>In NetBeans IDE, from the File menu, choose Open Project.</b></li>
<li><b>In the Open Project dialog, navigate to:</b><pre><tt></tt><i>tut-install</i><tt>/examples/security/</tt></pre></li>
<li><b>Select the <tt>cart-secure</tt> folder.</b></li>
<li><b>Select the Open as Main Project and Open Required Projects check boxes.</b></li>
<li><b>Click Open Project.</b></li>
<li><b>In the Projects tab, right-click the <tt>cart-secure</tt> project and select Build.</b></li>
<li><b>In the Projects tab, right-click the <tt>cart-secure</tt> project and select Deploy.</b><p>This step builds and packages the application into <tt>cart-secure.ear</tt>, located in the directory
<tt></tt><i>tut-install</i><tt>/examples/security/cart-secure/dist/</tt>, and deploys this EAR file to your GlassFish Server instance.</p></li>
<li><b>To run the application client, right-click the <tt>cart-secure</tt> project and select Run.</b><p>A <tt>Login for user:</tt> dialog box appears.</p></li>
<li><b>In the dialog box, type the user name and password of a
file realm user created on the GlassFish Server and assigned to the group
<tt>TutorialUser</tt>; then click OK.</b><p>If the user name and password you enter are authenticated, the output of
the application client appears in the Output pane:</p><pre>...
Retrieving book title from cart: Infinite Jest
Retrieving book title from cart: Bel Canto
Retrieving book title from cart: Kafka on the Shore
Removing "Gravity's Rainbow" from cart.
Caught a BookException: "Gravity's Rainbow" not in cart.
Java Result: 1
...</pre><p>If the user name and password are not authenticated, the dialog box reappears
until you type correct values.</p></li></ol>

<a name="bnbzo"></a><h4>To Build, Package, Deploy, and Run the Secure Cart Example Using Ant</h4>
<ol>
<li><b>Follow the steps in <a href="bncbx.html#gjjlk">To Set Up Your System for Running the Security Examples</a>.</b></li>
<li><b>In a terminal window, go to:</b><pre><tt></tt><i>tut-install</i><tt>/examples/security/cart-secure/</tt></pre></li>
<li><b>To build the application and package it into an EAR file, type the
following command at the terminal window or command prompt:</b><pre><tt><b>ant</b></tt></pre></li>
<li><b>To deploy the application to the GlassFish Server, type the following command:</b><pre><tt><b>ant deploy</b></tt></pre></li>
<li><b>To run the application client, type the following command:</b><pre><tt><b>ant run</b></tt></pre><p>This task retrieves the application client JAR and runs the application client.</p><p>A <tt>Login for user:</tt> dialog box appears.</p></li>
<li><b>In the dialog box, type the user name and password of a
file realm user created on the GlassFish Server and assigned to the group
<tt>TutorialUser</tt>; then click OK.</b><p>If the user name and password are authenticated, the client displays the following
output:</p><pre>[echo] running application client container.
[exec] Retrieving book title from cart: Infinite Jest
[exec] Retrieving book title from cart: Bel Canto
[exec] Retrieving book title from cart: Kafka on the Shore
[exec] Removing "Gravity's Rainbow" from cart.
[exec] Caught a BookException: "Gravity's Rainbow" not in cart.
[exec] Result: 1</pre><p>If the username and password are not authenticated, the dialog box reappears until
you type correct values.</p></li></ol>

<a name="bncaa"></a><h3>Example: Securing an Enterprise Bean with Programmatic Security</h3>
<a name="indexterm-2158"></a><a name="indexterm-2159"></a><a name="indexterm-2160"></a><a name="indexterm-2161"></a><a name="indexterm-2162"></a><p>This example demonstrates how to use the <tt>getCallerPrincipal</tt> and <tt>isCallerInRole</tt> methods with
an enterprise bean. This example starts with a very simple EJB application, <tt>converter</tt>,
and modifies the methods of the <tt>ConverterBean</tt> so that currency conversion will occur only
when the requester is in the role of <tt>TutorialUser</tt>.</p>

<p>The completed version of this example can be found in the directory
<tt></tt><i>tut-install</i><tt>/examples/security/converter-secure</tt>. This example is based on the unsecured enterprise bean application, <tt>converter</tt>,
which is discussed in <a href="gijre.html">Chapter&nbsp;23, Getting Started with Enterprise Beans</a> and is found in the directory <tt></tt><i>tut-install</i><tt>/examples/ejb/converter/</tt>.
This section builds on the example by adding the necessary elements to secure
the application by using the <tt>getCallerPrincipal</tt> and <tt>isCallerInRole</tt> methods, which are discussed
in more detail in <a href="bnbyl.html#gjgcr">Accessing an Enterprise Bean Caller's Security Context</a>.</p>

<p>In general, the following steps are necessary when using the <tt>getCallerPrincipal</tt> and
<tt>isCallerInRole</tt> methods with an enterprise bean. In the example application included with this
tutorial, many of these steps have been completed for you and are listed
here simply to show what needs to be done should you wish to
create a similar application.</p>


<ol><li><p>Create a simple enterprise bean application.</p>

</li>
<li><p>Set up a user on the GlassFish Server in the <tt>file</tt> realm, in the group <tt>TutorialUser</tt>, and set up default principal to role mapping. To do this, follow the steps in <a href="bncbx.html#gjjlk">To Set Up Your System for Running the Security Examples</a>.</p>

</li>
<li><p>Modify the bean to add the <tt>getCallerPrincipal</tt> and <tt>isCallerInRole</tt> methods.</p>

</li>
<li><p>If the application contains a web client that is a servlet, specify security for the servlet, as described in <a href="bncbx.html#gjrmh">Specifying Security for Basic Authentication Using Annotations</a>.</p>

</li>
<li><p>Build, package, deploy, and run the application.</p>

</li></ol>


<a name="bncab"></a><h4>Modifying <tt>ConverterBean</tt></h4>
<p>The source code for the original <tt>ConverterBean</tt> class was modified to add the
<tt>if..else</tt> clause that tests whether the caller is in the role of <tt>TutorialUser</tt>.
. If the user is in the correct role, the currency conversion is
computed and displayed. If the user is not in the correct role, the
computation is not performed, and the application displays the result as <tt>0</tt>. The
code example can be found in the following file:</p>

<pre><i>tut-install</i>/examples/ejb/converter-secure/converter-secure-ejb/src/java/
converter/ejb/ConverterBean.java</pre><p>The code snippet (with modifications shown in <b>bold</b>) is as follows:</p>

<pre>package converter.ejb;

import java.math.BigDecimal;
import javax.ejb.Stateless;
<b>import java.security.Principal;</b>
<b>import javax.annotation.Resource;</b>
<b>import javax.ejb.SessionContext;</b>
<b>import javax.annotation.security.DeclareRoles;</b>
<b>import javax.annotation.security.RolesAllowed;</b>

@Stateless()
<b>@DeclareRoles("TutorialUser")</b>
public class ConverterBean{

    <b>@Resource SessionContext ctx;</b>
    private BigDecimal yenRate = new BigDecimal("89.5094");
    private BigDecimal euroRate = new BigDecimal("0.0081");

    <b>@RolesAllowed("TutorialUser")</b>
     public BigDecimal dollarToYen(BigDecimal dollars) {
        <b>BigDecimal result = new BigDecimal("0.0");</b>
        <b>Principal callerPrincipal = ctx.getCallerPrincipal();</b>
        <b>if (ctx.isCallerInRole("TutorialUser")) {</b>
            result = dollars.multiply(yenRate);
            return result.setScale(2, BigDecimal.ROUND_UP);
        <b>} else {</b>
            <b>return result.setScale(2, BigDecimal.ROUND_UP);</b>
        <b>}</b>
    }

    <b>@RolesAllowed("TutorialUser")</b>
    public BigDecimal yenToEuro(BigDecimal yen) {
        <b>BigDecimal result = new BigDecimal("0.0");</b>
        <b>Principal callerPrincipal = ctx.getCallerPrincipal();</b>
        <b>if (ctx.isCallerInRole("TutorialUser")) {</b>
             result = yen.multiply(euroRate);
             return result.setScale(2, BigDecimal.ROUND_UP);
        <b>} else {</b>
             <b>return result.setScale(2, BigDecimal.ROUND_UP);</b>
        <b>}</b>
    }
}</pre>

<a name="gkbsi"></a><h4>Modifying <tt>ConverterServlet</tt></h4>
<p>The following annotations specify security for the <tt>converter</tt> web client, <tt>ConverterServlet</tt>:</p>

<pre>@WebServlet(name = "ConverterServlet", urlPatterns = {"/"})
@ServletSecurity(
@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL,
    rolesAllowed = {"TutorialUser"}))</pre>

<a name="bncad"></a><h4>To Build, Package, and Deploy the Secure Converter Example Using NetBeans IDE</h4>
<ol>
<li><b>Follow the steps in <a href="bncbx.html#gjjlk">To Set Up Your System for Running the Security Examples</a>.</b></li>
<li><b>In NetBeans IDE, from the File menu, choose Open Project.</b></li>
<li><b>In the Open Project dialog, navigate to:</b><pre><tt></tt><i>tut-install</i><tt>/examples/security/</tt></pre></li>
<li><b>Select the <tt>converter-secure</tt> folder.</b></li>
<li><b>Select the Open as Main Project check box.</b></li>
<li><b>Click Open Project.</b></li>
<li><b>Right-click the <tt>converter-secure</tt> project and select Build. </b></li>
<li><b>Right-click the <tt>converter-secure</tt> project and select Deploy.</b></li></ol>

<a name="bncae"></a><h4>To Build, Package, and Deploy the Secure Converter Example Using Ant</h4>
<ol>
<li><b>Follow the steps in <a href="bncbx.html#gjjlk">To Set Up Your System for Running the Security Examples</a>.</b></li>
<li><b>In a terminal window, go to:</b><pre><tt></tt><i>tut-install</i><tt>/examples/security/converter-secure/</tt></pre></li>
<li><b>Type the following command:</b><pre><tt><b>ant all</b></tt></pre><p>This command both builds and deploys the example.</p></li></ol>

<a name="gjtdp"></a><h4>To Run the Secure Converter Example</h4>
<ol>
<li><b>Open a web browser to the following URL:</b><pre>http://localhost:8080/converter-secure</pre><p>An Authentication Required dialog box appears.</p></li>
<li><b>Type a user name and password combination that corresponds to a user who
has already been created in the <tt>file</tt> realm of the GlassFish Server and
has been assigned to the group of <tt>TutorialUser</tt>; then click OK.</b></li>
<li><b>Type <tt><b>100</b></tt> in the input field and click Submit.</b><p>A second page appears, showing the converted values.</p></li></ol>
         </div>
         <div class="navigation">
             <a href="bnbyl.html"><img src="graphics/leftButton.gif" border="0" alt="Previous" title="Previous"></a>
             <a href="p1.html"><img src="graphics/upButton.gif" border="0" alt="Contents" title="Contents"></a>
             <a href="bncah.html"><img src="graphics/rightButton.gif" border="0" alt="Next" title="Next"></a>
         </div>

         <div class="copyright">
      	    <p>Copyright &copy; 2011, Oracle and/or its affiliates. All rights reserved. <a href="docinfo.html">Legal Notices</a></p>
      	 </div>

      </td>
   </tr>
</tbody>
</table>
</body>
</html>

